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CLAIMS 

1. A system for managing address allocation of a 
mobile terminal in WLAN inter-working without depending on 
local WLAN access control, wherein a secure end-to-end 

5 service authorization signalling between the mobile 

terminal and a controller in a home domain of the mobile 
terminal that has access to user subscription information 
is used for address management, whereby the controller can 
manage the address allocation based on service 
10 authorization information. 

2. A system for managing a tunnel used by a 
mobile terminal in WLAN inter-working without depending on 
local WLAN access control, wherein a secure end-to-end 

15 service authorization signalling between the mobile 

terminal and a controller in a home domain of the mobile 
terminal that has access to user subscription information 
is used for tunnel management, whereby the controller can 
manage the tunnel based on service authorization 

20 information. 

3. A system for managing address allocation of a 
mobile terminal and a tunnel used by a mobile terminal in 
WLAN inter-working without depending on local WLAN access 

25 control, wherein a secure end-to-end service authorization 
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signalling between the mobile terminal and a controller in 
a home domain of the mobile terminal that has access to 
user subscription information is used for address and 
tunnel management, whereby the controller can manage the 
5 address allocation and the tunnel based on service 
authorization information . 

4. The system according to any one of claims 1 to 
3, wherein security association derived from a local WLAN 

10 access control procedure for encrypting and protecting a 
signalling message is used for protecting a signalling 
message for the WLAN inter-working. 

5. The system according to any one of claims 1 to 
15 3, wherein domain information of the mobile terminal is 

used for deciding the location of the controller in the 
home domain of the mobile terminal. 

6. The system according to any one of claims 1 to 
20 3, wherein the mobile terminal embeds its domain 

information in a message, and an intermediary node between 
the mobile terminal and the controller accesses the domain 
information and forwards the message based on the domain 
information, whereby the intermediary node decides an 
25 address for forwarding the message to the controller. 
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7. The system according to claim 1 or 3 wherein 

i. a predefined wildcard value is used in 
an address allocation request and an address allocation 

5 reply for supporting stateless address configuration at 
the mobile terminal, 

ii. an address type list is included in the 
address allocation request and the address allocation 
reply for supporting different address types at the mobile 

10 terminal, and 

iii. an address prefix is included in an 
address management message for supporting multiple address 
allocation for the mobile terminal. 



15 8. The system according to claim 1 or 3 wherein 

i. the mobile terminal generates an identifier 
that uniquely identifies a service access session, 

ii. the service access session identifier is 
included in an address message sent between the mobile 

20 terminal and the controller for binding address allocation 
operation with the service access session, 

iii. the controller traces an address which the 
mobile terminal uses for the service access session, and 

iv. the controller retrieves the address used by 
25 the mobile terminal for the service access session by 
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using the service access session identifier. 

9. The system according to claim 8 wherein the 
controller uses a backend server for storage and 
maintenance of the mobile terminal's address which is used 
for the service access session. 

10. The system according to claim 8 wherein 

i. the controller creates a new entry with the 
mobile terminal's identifier and the service access 
session's identifier as an index when the entry does not 
exist in a controller's record, 

11. the controller stores the entry with the 
address which is allocated for the mobile terminal for the 
service access session, and 

iii. the controller deletes the entry when the 
mobile terminal terminates the services access session, 

whereby the controller can maintain the address 
configuration of the mobile terminal in the WLAN inter- 
working . 

11. The system according to claim 1 or 3 wherein 
i. an address allocation request and a 
corresponding service access request are grouped in the 
service authorization information for supporting multiple 
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address allocation for different services access sessions 
of the mobile terminal, and 

11. the controller obtains different address 
configurations based on the different service access 

5 requests of the mobile terminal, 

whereby simultaneous service sessions are allowed 
for the mobile terminal. 

12. The system for supporting multiple address 
configurations for multiple services sessions according to 
claim 11, wherein 

i. the mobile terminal maintains a local database 
of the service access session information with the 
corresponding address configuration, and 

ii. the mobile terminal uses different addresses 
to access different services by multiplexing addresses 
using the service access session identifiers. 

13. The system for allowing adjustment of policy 
20 settings according to any one of claims 1 to 3, wherein 

i. the controller modifies policy configuration 
for providing service to the mobile terminal by setting an 
interface with a policy server, and 

ii. policy setting is adapted on a control node 
25 for providing service to the mobile terminal in WLAN by 
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having the controller triggering policy signalling to the 
control node through policy control framework. 

14. The system according to claim 13 wherein a set 
of message format used for information exchange between a 
service authorizer which authorizes service and a policy 
server, the set of message format comprising: 

i. a operation identifier part that indicates 
operation to be taken by the policy server; 

ii. a mobile terminal identifier part that 
includes an identifier of the mobile terminal; 

iii. a mobile terminal location information part 
that includes location information of the mobile terminal 
for adapting policy settings based on the location 
information; 

iv. a mobile terminal service information part 
that includes service type of the service, and session 
identifier of the service if necessary; 

v. a tunnel setting information part that 
includes tunnel setting information used by the mobile 
terminal for accessing the service; and 

vi. an address information part that includes 
address information of the mobile terminal for accessing 
the service. 
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15. A method for managing address allocation of a 
mobile terminal for accessing service in WLAN inter- 
working without depending on local WLAN access control 
comprising: 

5 i. a step in which the mobile terminal sends an 

address management request together with a secure end-to- 
end service authorization request to a controller in a 
home domain of the mobile terminal that has access to user 
subscription information; 

10 ii. a step in which the controller allocates an 

address for the mobile terminal to access service based on 
the service authorization request and the user 
subscription information; and 

iii. a step in which the controller sends address 

15 management information to the mobile terminal with the 
secure end-to-end service authorization signalling. 

16. A method for managing address allocation of a 
mobile terminal for accessing service in WLAN inter- 

20 working without depending on local WLAN access control 
comprising: 

i. a step in which the mobile terminal sends an 
tunnel management request together with a secure end-to- 
end service authorization request to a controller in a 
25 home domain of the mobile terminal that has access to user 
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subscription information; 

ii. a step in which the controller decides tunnel 
configuration for the mobile terminal to access service 
based on the service authorization request and the user 

5 subscription information; and 

iii. a step in which the controller sends tunnel 
configuration information to the mobile terminal with the 
secure end-to-end service authorization signalling. 

10 17. A method for managing address allocation of a 

mobile terminal for accessing service in WLAN inter- 
working without depending on local WLAN access control 
comprising : 

i. a step in which the mobile terminal sends an 
15 address and tunnel management request together with a 

secure end-to-end service authorization request to a 
controller in a home domain of the mobile terminal that 
has access to user subscription information; 

ii. a step in which the controller decides an 

20 address and tunnel configuration for the mobile terminal 
to access service based on the service authorization 
request and the user subscription information; and 

iii. a step in which the controller sends 
information on the address and the tunnel configuration to 

25 the mobile terminal with the secure end-to-end service 
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18. The method according to any one of claims 15 
to 17, wherein security association derived from a local 
WLAN access control procedure for encrypting and 
protecting a signalling message is used for protecting a 
signalling message for the WLAN inter-working. 

19. The method according to any one of claims 15 
to 17, wherein domain information of the mobile terminal 
is used for deciding the location of the controller in the 
home domain of the mobile terminal. 

20. The method according to any one of claims 15 
to 17, wherein the mobile terminal embeds its domain 
information in a message, and an intermediary node between 
the mobile terminal and the controller accesses the domain 
information and forwards the message based on the domain 
information, whereby the intermediary node decides an 
address for forwarding the message to the controller. 

21. The method according to claim 15 further 
comprising a step in which the address to be used by the 
mobile terminal for accessing the service is negotiated 
between the controller and an address management entity in 
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a network that provides the service requested by the 
mobile terminal. 

22. The method for reducing service interruption 
5 of the mobile terminal according to claim 15, further 
comprising: 

i. a step in which the mobile terminal includes a 
specific address in an address allocation request sent to 
the controller in its home network; and 
10 ii. a step in which the controller allocates the 

address to be used according to the address allocation 
request from the mobile terminal and information about the 
service accessed by the mobile terminal. 

15 23. The method for supporting multiple tunnel 

types and directions according to claim 16 or 17, further 
comprising: 

i. a step in which the mobile terminal includes a 
list of tunnel types in a tunnel request message sent to 

20 the controller; and 

ii. a step in which the mobile terminal and the 
controller include tunnel direction information in the 
tunnel request message and tunnel configuration message. 



25 



24. The method for managing the tunnel 



configuration of the mobile terminal according to claim 16 
or 17, comprising a step in which a tunnel configuration 
to be used by the mobile terminal for accessing the 
service between the controller and an actual tunnel end 
point in a network that provides the service requested by 
the mobile terminal. 

25. The method for managing the tunnel 
configuration of the mobile terminal according to claim 16 
or 17, further comprising: 

i. a step in which the controller communicates 
with a management entity in the WLAN managing tunnels used 
by the mobile terminal for accessing the service; and 

ii. a step in which the management entity in the 
WLAN enables or disables the tunnel according to a 
communication result with the controller. 

26. The method for setting up a network based site 
to site tunnel for the mobile terminal to access the 
service according to claim 16 or 17, further comprising: 

i. a step in which the controller communicates 
with a tunnel management entity in the WLAN to identify 
and configure a tunnel end point in the WLAN; and 

ii. a step in which the controller communicates 
with a tunnel management entity in a network providing the 
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service for the mobile terminal to identify and configure 
the tunnel end points in the network. 



27. The method according to claim 16 or 17 
5 comprising a step in which the controller communicates 
with a backend server in the mobile terminal's home 
network for the user's subscription information. 



28. The method according to claim 15 or 17, 
10 wherein the mobile terminal uses a set of message format, 
the set of message format comprising: 

i . a home domain information part that includes 
the mobile terminal's home domain information accessible 
to all network nodes; 
15 ii. a user's identity information part that is 

only accessible by a node authorizing a service request; 

iii. a service request information part that 
contains one or more service requests only accessible by 
the node authorizing the service request; 
20 iv. a WLAN identifier information part; and 

v. a address request information part that 
contains one or more address requests corresponding to the 
service request. 
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29. The method according to claim 16 or 17, 
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wherein the mobile terminal uses a set of message format, 
the set of message format comprising: 

i. a mobile terminal's home domain information 

part; 

5 ii. a user's identity information part that is 

only accessible by the node authorizing a service request; 

iii. a service request information part that 
contains one or more service requests only accessible by 
the node authorizing the service request; 
10 iv. a WLAN identifier information part that 

includes a WLAN identifier; and 

v. a tunnel configuration request information 
part that includes one or more tunnel configuration 
requests corresponding to the service request. 

15 

30. The method according to claim 21, wherein the 
controller uses a set of message format, the set of 
message format comprising: 

i. a part of an identifier of the mobile 
20 terminal' s home network; 

ii. a part of an identifier of the service session' 
regarding a service request; 

iii. a part of an identifier of the mobile terminal 
in the service request; 

25 iv. a service request information part that 
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includes one or more service requests; and 

v. a address configuration request information 
part that includes one or more address configuration 
requests corresponding to the service request. 

5 

31. The method according to claim 24, wherein the 
controller uses a set of message format, the set of 
message format comprising: 

i. a part of an identifier of the mobile 
10 terminal's home network; 

ii. a part of an identifier of the service session 
regarding a service request; 

iii. a part of an identifier of the mobile terminal 
in the service request; 

15 iv. a service request information part that 

includes one or more service requests; and 

v. a tunnel configuration request information 
part that includes one or more tunnel configuration 
requests corresponding to the service request. 



